There is no argument?
Come over to the CIS/Boss project where they ARE arguing it... and so
far I'm losing the argument that two factor at this time in the industry
isn't mature enough to be "minimum baseline security" for protecting
PII and confidential data.
Al Mulnick wrote:
As long as we're eating this type of food...
There is no argument that 2-factor auth is going to be stronger and
therefore preferred. To argue it would be extremely difficult.
The assertions in the article are made based on 1950's data. Hmm...
Interesting, but I think he makes his case that 7 is just a
coincidence and not a sure limit. Also, he supports the same theory
that Dr J puts forth in saying that we "chunk" the data into usable
pieces. Is that 7 usable chunks? Maybe. Can that be used to help
defeat pass phrases? Yes, I think so.
LM hashes? As I recall, the older method broke the information into 2
x 7 bit "chunks". Result: If you had a password of 8 chars, you
really had a password of 7 chars + 1 chars.
Is that significant? Yes because it means you could more easily guess
the second 8 (fewer variations) and from that more likely derive the
first 7. We introduced the usage of passwords with special characters
in the hopes that adding random non-sensical characters with no
relation to the words would be harder to crack. It is, but the
question remains: is it enough?
I don't see the basis for the 7 character limit on the password in the
documents you posted Sussan, the documents that Steve posted, nor in
the ones that I posted. I see strong arguments for two-factor auth,
but I think we'll start an entire new conversation regarding what
two-factor auth really looks like in practice.
In the end, it boils down to this (for me anyway): We as professionals
need to understand and mitigate the risks appropriate to the tasks.
This is a continuous cycle and shows no end. There is no perfection,
only trade-offs and balance to be achieved. Additionally, our vendors
(Microsoft in this case) need to provide the tools for us to achieve
our goals else risk us finding another vendor that does to accomplish
the business requirements.
"The only truly secure machine is a machine that is completely
disconnected and encased in a sealed, steel-reinforced concrete bunker
with 6ft walls, guarded night and day by trained military experts.
Everything else represents trade-offs made between usefulness and
security." - ajm
Of course, if it's worth doing, it's worth doing well. I would add
the background to the recommendation to use passphrases: only do so if
it meets your needs or if you cannot implement two-factor
authentication mechanisms.
My thoughts anyway.
Al
On 4/3/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
Sorry one more thing.. in a Center for Internet Security project
to set
Baseline Operational Security Standards for protecting sensititive
data
(both PII and business confidential)... they are actually leaning
strongly towards recommending two factor authentication and not just
passwords and a protection factor.
When LC5 was still around (before Symantec killed it) cracking 7
or less
character passwords on a network with lanmanhashes enabled ...
those got
broken pretty quickly. 14 characters breaks the lanmanhash setting.
Ergo the recommendaton for long passphases for admin accounts (and
Joe
has stated that they lock up the 500 accounts and make those pass
phrases even longer than that)
Someone stated today that maybe we need to consider a password policy
that does not require a change out of every 90 days as that does
tend to
make the person weaken a password or reuse something.
If instead they used a long and nasty passphrase and only changed it
once a year.. would that actually be less risk than one changed
more often?
Food for thought.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> The Magical Number Seven:
> http://www.well.com/user/smalin/miller.html
>
> Protecting your Windows Network, Dr. Jesper Johansson and Steve
Riley
> site that study regarding the ability of humans to process
> information. (Good book btw..entertaining security book)
>
>
>
>
> Amazon.com <http://Amazon.com>: Protect Your Windows Network :
From Perimeter to Data
> (Microsoft Technology): Books: Jesper M. Johansson,Steve Riley:
>
http://www.amazon.com/gp/product/0321336437/sr=8-1/qid=1144114723/ref=pd_bbs_1/103-7946857-8851835?%5Fencoding=UTF8
>
>
>
>
> Al Mulnick wrote:
>
>> I'd be very interested to see the technical data that backs
that up
>> (not you Neil, but the folks from Microsoft that make that claim.)
>>
>> Is it related to people being able to remember a limited number of
>> numbers
>> perhaps?(
http://www.youramazingbrain.org.uk/yourmemory/digitspan.htm
>> ) Or is there some other empirical data that says that
passwords with
>> greater than 7 characters is likely to be repeated?
>>
>> Or could it be that somebody at MS is sore that NTLM had to be
>> upgraded to beyond two 7 char strings? ;)
>>
>> Seriously, I see nothing like that here
>> http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf or
>> here http://www.passwordresearch.com/stats/statindex.html
>>
>> I think that's a load of bologna to make a suggestion to keep
>> passwords to less than 7 characters. If anything, there's no
reason
>> not to make them longer as the more characters that have to be
>> guessed, the harder it becomes to brute-force hack them (assuming
>> that passwords are not stored as two 7 char strings, right?) That
>> allows the system to be even more useful because you can then
extend
>> the attempts prior to lockout making the system more useful to the
>> end user.
>> In the end, there are some assertions that passwords by themselves
>> are coming to the end of their useful life. Hmm.. Maybe. But I
think
>> coupled with good lockout policies, strong passwords mean we can
>> mitigate the risks for most situations. Not forever of course.
>>
>> I'd love to see some of that data that shows that users repeat
after
>> 7 characters if anyone has it.
>> Al
>>
>>
>>
>> Just for fun:
>> http://plus.maths.org/issue31/features/eastaway/index-gifd.html
<http://plus.maths.org/issue31/features/eastaway/index-gifd.html>
>>
>> On 3/6/06, [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
>> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
>> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> > wrote:
>>
>> The use of >20 char passwords caught my eye.
>> In previous discussions with MS et al, it was
suggested that
>> the
>> majority of users would simply repeat a (at most ( 7 char
password
>> n times, so as to meet the 20+ char pw policy requirement.
>> As a result, I have heard it suggested that in reality
(not
>> theory) a pw policy of more than 7 chars is actually counter
>> productive. [Any pw policy with a multiple of 7 chars being
most
>> counter productive.]
>> Food for thought,
>> neil
>>
>>
>>
------------------------------------------------------------------------
>> *From:* [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
>> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> [mailto:
>> [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
>> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>] *On Behalf Of *Ulf B.
>> Simon-Weidner
>> *Sent:* 05 March 2006 08:35
>>
>> *To:* [email protected]
<mailto:[email protected]>
>> <mailto:[email protected]
<mailto:[email protected]>>
>> *Subject:* RE: [ActiveDir] How Secure is a Domain Controller?
>>
>> I've written down some related thoughts once:
>>
>>
http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
>>
>> Gruesse - Sincerely,
>>
>> Ulf B. Simon-Weidner
>>
>> MVP-Book "Windows XP - Die Expertentipps":
>> http://tinyurl.com/44zcz
>> Weblog: http://msmvps.org/UlfBSimonWeidner
>> <http://msmvps.org/UlfBSimonWeidner>
>> Website: _http://www.windowsserverfaq.org_
>> <http://www.windowsserverfaq.org/>
>> Profile:
>>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
>>
>>
>>
>>
------------------------------------------------------------------------
>> *From:* [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
>> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> [mailto:
>> [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
>> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>] *On Behalf Of
>> *Edwin
>> *Sent:* Sunday, March 05, 2006 4:17 AM
>> *To:* [email protected]
<mailto:[email protected]>
>> <mailto: [email protected]
<mailto:[email protected]>>
>> *Subject:* [ActiveDir] How Secure is a Domain Controller?
>>
>>
>> How Secure is a Domain Controller that is fully patched on a
>> default install of Windows 2003? When promoted the domain
>> controller has the two default policies, both of which are
>> recommended not to be modified. But there are things that
could
>> be done better for added security. For example, NTLMv2 refuse
>> NTLM and LM. Is it common practice to add additional GPO's
to the
>> DC OU? Or is DC protected enough to where all that is
needed to
>> worry about are the member machines?
>>
>>
>> If adding additional GPO's to the DC OU, is there anything that
>> should definitely be avoided?
>>
>>
>> Edwin
>>
>> PLEASE READ: The information contained in this email is
>> confidential and
>> intended for the named recipient(s) only. If you are not an
intended
>> recipient of this email please notify the sender
immediately and
>> delete your
>> copy from your system. You must not copy, distribute or
take any
>> further
>> action in reliance on it. Email is not a secure method of
>> communication and
>> Nomura International plc ('NIplc') will not, to the extent
>> permitted by law,
>> accept responsibility or liability for (a) the accuracy or
>> completeness of,
>> or (b) the presence of any virus, worm or similar malicious or
>> disabling
>> code in, this message or any attachment(s) to it. If
verification
>> of this
>> email is sought then please request a hard copy. Unless
otherwise
>> stated
>> this email: (1) is not, and should not be treated or relied
upon as,
>> investment research; (2) contains views or opinions that are
>> solely those of
>> the author and do not necessarily represent those of NIplc;
(3) is
>> intended
>> for informational purposes only and is not a recommendation,
>> solicitation or
>> offer to buy or sell securities or related financial
instruments.
>> NIplc
>> does not provide investment services to private customers.
>> Authorised and
>> regulated by the Financial Services Authority. Registered
in England
>> no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
>> Martin's-le-Grand,
>> London, EC1A 4NP. A member of the Nomura group of companies.
>>
>>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
